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Certificate ::= SEQUENCE { 

tbsCert if icate TBSCert if icate , 

signatureAlgorithm Algorithmldentif ier, 



signature 

TBSCertif icate : : 
version 
serialNumber 
signature 
issuer 
validity- 
sub j ect 

subj ectPublicKeylnf o 
issuerUniquelD [1] 
subjectUniquelD [2] 
extensions [3] 



BIT STRING } 

SEQUENCE { 

[0] Version DEFAULT vl , 

Cert if icateSerialNumber , 
Algori thmldent i f ier , 
Name ; 
Validity, 
Name , 

Subj ect PublicKeylnfo, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version :: = INTEGER { vl (0) , v2 (1) , v3 (2) 
Certif icateSerialNumber :: = INTEGER 



} 



Validity ::= SEQUENCE { 
notBef ore 
notAf ter 

Time : : = CHOICE { 
utcTime 
generalTime 

Uniqueldentif ier : 



Time/ 
Time } 



UTCTime , 

GeneralizedTime } 



BIT STRING 



Subj ectPublicKeylnf o = SEQUENCE { 

algorithm Algori thmldent if ier , 

subj ect PublicKey BIT STRING } 

Extensions :.-= SEQUENCE SIZE (1..MAX) OF Extension 



Extension ::= SEQUENCE { 
extnID 
critical 
extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 
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AttributeCertif icate = SEQUENCE { 

acinfo AttributeCertif icatelnfo , 

signatureAlgorithm Algorithmldentif ier , 
signatureValue BIT STRING 

} 

AttributeCertif icatelnfo : : = SEQUENCE { 



version 

holder 

issuer 

signature 

serialNumber 

attrCertVal idi tyPeriod 

attributes 

issuerUniquelD 

extensions 



AttCertVersion DEFAULT vl , 
Holder, 

At t Cert Issuer , 
Algorithmldentif ier, 
Cert if icateSerialNumber, 
AttCertVal idi tyPeriod, 
SEQUENCE OF Attribute, 
Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL 



} 



AttCertVersion ; := INTEGER { vl(0), v2(l) } 



Holder : : = SEQUENCE { 

baseCertif icatelD 



entityName 

ob j ectDigestlnf o 



} 



[0] IssuerSerial OPTIONAL, 

-- the issuer and serial number of 

the holder's Public Key Certificate 
[1] GeneralNames OPTIONAL, 
-- the name of the claimant or role 
[2] ObjectDigestlnfo OPTIONAL 
-- if present, version must be v2 



ObjectDigestlnfo ::= SEQUENCE { 

digestedObjectType ENUMERATED { 
publicKey 
publicKeyCert 
otherOb j ectTypes 



otherOb j ectTypelD 

digestAlgorithm 

objectDigest 



(0) , 

(1) , 

(2) }, 

otherOb j ectTypes MUST NOT 
--be used in this profile 
OBJECT IDENTIFIER OPTIONAL, 
Algorithmldentif ier, 
BIT STRING 
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AttCertlssuer ::= CHOICE { 

vlForm GeneralNames, --v1 orv2 

v2Form [0] V2Form -v2on1y 

} 

V2Form ::= SEQUENCE { 

issuerName GeneralNames OPTIONAL, 

baseCertificatelD [0] IssuerSerial OPTIONAL, 
objectDigestlnfo [1] ObjectDigestlnfo OPTIONAL 

— at least one of issuerName, baseCertificatelD 
-- or objectDigestlnfo MUST be present} 

IssuerSerial ::= SEQUENCE { 
issuer GeneralNames, 
serial CertificateSerialNumber, 
issuerUID Uniqueldentifier OPTIONAL 

} 

AttCertValidityPeriod ::= SEQUENCE { 
notBeforeTime GeneralizedTime, 
notAfterTime GeneralizedTime 

} 

Attribute ::= SEQUENCE { 
type AttributeType, 
values SET OF AttributeValue 

- at least one value is required 

} 

AttributeType ::= OBJECT IDENTIFIER 
AttributeValue ::= ANY DEFINED BY AttributeType 
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OID { id-aca 1 } 
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SvceAuth Info : := SEQUENCE { 
service GeneralName, 
ident GeneralName, 
authlnfo OCTET STRING OPTIONAL 

} 
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BEGIN 
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